Bug 146181 - mod_auth_kerb keytab type documentation
mod_auth_kerb keytab type documentation
Product: Fedora
Classification: Fedora
Component: mod_auth_kerb (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2005-01-25 14:50 EST by Patrick Paul
Modified: 2008-02-05 00:56 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-05 00:56:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Patrick Paul 2005-01-25 14:50:34 EST
Description of problem:
The documentation for mod_auth_kerb states that the keytab needs to be
of type HTTP/<fqdn_of_www_server>@REALM.  If another keytab service
type is required, then you must use KrbServiceName "service", where
"service" would most likely be host/<fqdn_of_www_server>@REALM.
The documentation is wrong.  Keytabs of service type host/ are
accepted by default.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Get a keytab for the system, of 'normal' type host/
2.In .htaccess put the proper location to krb5keytab to point to this
file, also make sure krbauthrealm is properly set and krbverifykdc is
set to off.
3.Put in the AuthName and require user@REALM entries in .htaccess

Actual results:
The user is allowed in with their kerberos credentials

Expected results:
Since the keytab is of type host/, and not HTTP/ as per the
documentation, mod_auth_kerb shouldn't work, but it does.

Additional info:
Many universities(MIT for example) have a web site set up to allow you
to request a keytab.  Their staff has access to automated scripts,
etc.., that let them create keytabs of type host/, not HTTP/.  Had the
documentation stated correctly that keytabs of type host/ work out of
the box, much time would have been saved.
Comment 1 Joe Orton 2005-01-25 16:39:18 EST
By "documentation" are you referring to the wording in the example
configuration file, /etc/httpd/conf.d/auth_kerb.conf, or the README?
Comment 2 Patrick Paul 2005-01-25 16:55:59 EST
Woops, sorry about ambiguity.

Documentation refers to 

1) The README, lines 92 and 139.
2) The example /etc/httpd/conf.d/auth_kerb.conf, lines 12-13.

I looked at every piece of documentation from
http://modauthkerb.sourceforge.net/, and it agrees and says the same

Also, the code, at (unpatched 5.0-rc6 source) line 236 in
mod_auth_kerb.c does a specific '... ->krb_service_name = "HTTP"'
Comment 3 Joe Orton 2005-01-28 07:13:45 EST
Sorry, I'm still not clear what you're reporting.  Are you saying that
the documentation is wrong and should be changed to match the
behaviour of the code?   Or that the code is wrong and should be
changed to match the documentation?

I'm not sure precisely what is confusing about the README; it merely
talks about the default service name.  Likewise the line of code you
reference merely sets the default service name, allowing the
configuration to override it if desired.
Comment 4 Patrick Paul 2005-01-28 11:57:32 EST
Sorry, confusion definitely happens when I've yet to have coffee.

The documentation is wrong.  The documentation says HTTP/ _only_ works
by default.  I have keytab in place of type host/, and this works.  I
did not specify type host/ in the configuration, as the documentation
says I needed to.

I listed the source code only to show that even the source code says
type HTTP/ is the default, and that type host/ is nowhere to be seen.
 This was only done to point out that I have no idea _where_ the code
is allowing type host/ by default.
Comment 5 Alex Hochberger 2005-05-22 01:14:48 EDT
Documentation is sort of right...  While the mod_auth_kerb system WILL work with host/ instead of 
HTTP/, it may create problems with certain clients.  The "standard" is HTTP, so while some browsers will 
go in fine with a host tab only, the lack of HTTP may create problems with others.  The software 
SHOULD be modified to match the documentation, although that would be removing a useful if 
"incorrect" feature.  Changing the documentation will potentially cause problems elsewhere.
Comment 6 Matthew Miller 2006-07-10 17:21:39 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 7 petrosyan 2008-02-05 00:56:45 EST
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.